State confirms health website security breach

Nov. 22, 2013

Written by

DAVE GRAM

Associated Press

MONTPELIER — Officials overseeing the Vermont Health Connect website confirmed Friday there was a security breach on the system last month in which one user got improper access to another user’s Social Security number and other data.

A report from state to federal officials overseeing the health insurance exchanges set up under the Affordable Care Act said a consumer reported the incident with the Vermont Health Connect website on Oct. 17.

The consumer, whom officials would not identify, reported that he received in the mail — from an unnamed sender — a copy of his own application for insurance under the state exchange.

“On the back of the envelope was hand-written ‘VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!’ This was also (written) on the back of the last page of the printed out application,” said the incident report.

The report was prepared by Greg Needle, privacy administrator with Vermont Health Connect, and filed with the federal Centers for Medicare and Medicaid Services. The Associated Press obtained it after a request under the state public records law to the Department of Vermont Health Access.

The report did not identify the individual consumers involved in the breach.

Mark Larson, commissioner of the Department of Vermont Health Access, said the incident described in the report was the only one of its kind since Vermont Health Connect launched Oct. 1. He said technical changes had been made in the way the system handles user names and passwords.

“This was one case and it was responded to appropriately,” Larson said, adding that the department’s main concern is data security and making sure the “unique circumstances” that led to the breach cannot be replicated today.

During a meeting of the House Health Care Committee on Nov. 5, Rep. Mary Morrissey, R-Bennington, asked Larson to comment on information she had received about a security breach or breaches on the system. Larson said his department had investigated one such complaint and it had proven unfounded.

Morrissey said Friday she was disturbed to hear now that the department had reported a breach to CMS more than two weeks earlier.

Security breaches have been a concern nationally as federal and state exchanges have set up around the country. No major breaches have been reported, although in one publicized case the personal information of a South Carolina man was delivered to a website user who lives in North Carolina.